On Tue, 2 Jun 2009, Charles Gregory wrote:
Just to be sure that I'm thinking the right way about the 'no text body part' rule: If someone sends a 'normal' message, but elects to not type any text into the body, there *will* still be a mime 'text' section, and it will just be empty, right?
I think all MIME email clients do behave that way, yes.
So the 'no text body' would mean that the message was created *only* by a spam client that fails to add it?
Well, any tool that's composing MIME messages can choose to omit a text body part if no text is available - for example, a command-line tool that forwarded webcam images or screen shots might reasonably omit a text body part and create a message that would hit this rule.
In practice, we're only seeing it in spams. There may be false positives in some unusual situations, but it's not likely with legitimate human-generated email. Score accordingly.
-- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- Any time law enforcement becomes a revenue center, the system becomes corrupt. ----------------------------------------------------------------------- 4 days until the 65th anniversary of D-Day